How to add Open Code Review to Windsurf
AI code quality gate that detects hallucinated imports, stale APIs, over-engineering, and security anti-patterns in AI-generated code. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 27★ · stdio · no auth
Windsurf config for Open Code Review
npx -y @opencodereview/mcp-server{
"mcpServers": {
"open-code-review": {
"command": "npx",
"args": [
"-y",
"@opencodereview/mcp-server"
]
}
}
}Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the Open Code Review config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5Open Code Review's tools become available to Cascade.
Before you start
- Node.js with npx available
- Optional: a local LLM via Ollama (e.g. qwen3-coder) or any OpenAI-compatible API endpoint for L3 deep scan and auto-fix
What Open Code Review can do in Windsurf
ocr_scanRun a code quality gate scan over source files to detect hallucinated imports, stale APIs, over-engineering, and security anti-patterns.
ocr_healAI auto-fix — automatically generate and apply fixes for the issues OCR finds.
ocr_explainExplain a detected issue in detail, describing why it was flagged.
Security
Analysis can be run fully locally via Ollama so source code never leaves your machine. If you configure an OpenAI-compatible remote LLM provider instead, code snippets are sent to that provider for the deep-scan (L3) and heal layers. The package is licensed BUSL-1.1 (free for personal/non-commercial use; commercial use requires a Team or Enterprise license).
Open Code Review + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the Open Code Review config there under the "mcpServers" key and restart the client.
Is Open Code Review safe to use with Windsurf?
Analysis can be run fully locally via Ollama so source code never leaves your machine. If you configure an OpenAI-compatible remote LLM provider instead, code snippets are sent to that provider for the deep-scan (L3) and heal layers. The package is licensed BUSL-1.1 (free for personal/non-commercial use; commercial use requires a Team or Enterprise license).
Does my code get sent to the cloud?
Not necessarily. You can run analysis 100% locally with Ollama, in which case nothing leaves your machine. Code is only sent to a remote provider if you explicitly configure an OpenAI-compatible endpoint for the deep-scan or heal layers.
Which AI clients does the MCP server work with?
Any MCP-compatible client. The README documents Claude Desktop, Cursor, Windsurf, and VS Code Copilot using the same npx-based configuration.
What languages are supported?
Six: TypeScript/JavaScript, Python, Java, Go, and Kotlin, with hallucinated-package verification against npm, PyPI, Maven, and Go modules.